The Society of Corporate Compliance and Ethics (SCCE) held their annual Ethics and Compliance conference from September 20 to 24 in Las Vegas. This year, I was fortunate enough to be selected to hold a three-hour workshop on risk-based compliance: “Meeting Increased Customer Expectations, Not Just Regulatory Requirements.”
The SCCE holds this conference to promote ethical and compliant practices in organizations and to equip ethics and compliance professionals with skills and tools necessary to work more effectively with the board, management, and employees in their organizations.
At a time when corporate scandals are around every corner, conferences like the SCCE’s are more important than ever. I’ve always maintained that risk management is so much more than avoiding fines and lawsuits; it’s about empowering organizations to act with integrity and make decisions that align with their strategic objectives and protect the interests of their stakeholders.
It was my pleasure to contribute to such a prolific event and share my experience with risk and compliance professionals. In this blog, I’ll recap my key takeaways from the session and point you to some tools you might find useful in applying them to your own organization.
Meeting Increased Expectations, Not Just Regulatory Requirements
My session focused on seemingly unconnected scandals like Facebook and Equifax to stress the point that all scandals are preventable since they stem from ineffective risk management. In these examples in particular, I emphasized the notion that not all scandals violate a regulation or can be categorized as non-compliance.
In a see-through economy, consumers move more quickly than regulators possibly can. Over time, consumers come to expect more from the brands they do business with. They expect their information to be secure, they expect their information to be used in their best interest, and they expect to be protected by these businesses. So even when regulations do not stipulate a company did anything wrong, a scandal can still damage a company’s reputation and market value because consumers are empowered to spread their disappointment to others.
- Equifax: 33% decrease in stock value
- Facebook: 21% decrease in stock value
Some are under the impression that these stocks bounce back. However, research has shown that risk management failures are severe and take years to overcome. In a recent study on the RIMS Risk Maturity Model by proved that companies with an adequate risk management program have a 25% higher market value in comparison with their peers. Look no further than Volkswagen, Facebook, Theranos, and many others.
So how can ethics, compliance, and risk professionals keep their company safe from distracting mishaps when the regulatory environment and consumer expectations are changing so fast? The solution is a risk-based approach. Failures in risk management are 100% preventable. They are known in advance by many employees in most cases from 6-18 months in advance, which is plenty of time to make a correction.
How Do You Take a Risk-Based Approach to Compliance?
The basic tenet of a risk-based approach is engagement. Regulations and expectations are moving far too quickly for any one compliance professional to manage change on their own. Risk and compliance professionals need to come together to enact a risk-based process that collects information across levels and departments of the organization.
The best way I was able to demonstrate the sheer quantity and complexity of all the activities compliance professionals manage, as well as their ideal order of operations, was with a handy graphic the LogicManager team put together. I encourage you to download our Risk-Based Approach Wheel.
As I said, the activities in this wheel can’t be accomplished alone. Therefore, you need a way to engage other professionals. The best tool I provided to attendees to accomplish this was LogicManager’s Risk-Based Translator. This tool shed some light on the different terms each department uses to talk about risk and compliance. It may seem like everyone’s talking about something different, but when you employ a common risk language, you can see that every department holds a piece of the puzzle and better communicate about common goals.
Steps to Risk-Based Compliance
During the session, I took attendees through each stage of a risk-based compliance process.
- Identify risks across the organization
- Connect risk root causes to corporate policy
- Link Regulations and Requirements to these risks and their mitigating controls
- Structure reporting for flexibility and efficiency
- Develop a process for managing change over time
You can learn more about these steps in detail by downloading this eBook on risk-based compliance.
One of my favorite features of the session was that it wasn’t just a talking session, it was an open discussion. I enjoy audience participation, engagement, and interaction when attendees ask questions or raise concerns they have about their own organization’s processes.
This time, as I took them through each step of the process, I asked them to apply each step to a case study I handed out on Chipotle. The food-borne illness outbreaks Chipotle has been experiencing are great examples of failures in risk management that go above and beyond compliance, which is just the minimum operating standard. Nevertheless, Chipotle has suffered a 46% decrease in their stock value since the initial outbreaks in 2015.
Attendees identified the root-causes of the continued outbreaks and discussed a series of questions such as what controls they thought would mitigate the chain’s risks and how a risk-based approach could have prevented future scandals.
The feedback from attendees was immensely exciting and I look forward to presenting at more SCCE and other conferences in the future!
This article was originally posted on LogicManager.com